Microsoft Adding New BYOD Security Features to Windows 8.1

Ahead of last week's Black Hat 2013 security conference appearance in Las Vegas, Microsoft outlined what new security features it's adding to its Windows 8.1 update, which may arrive this fall.

According to a blog post by Dustin Ingalls, group program manager for Windows Security and Identity, the OS refresh will come with many new improvements for bring-your-own-device (BYOD) management and security, including updating the Trusted Platform Module (TPM) -- a security chip that includes many crypto functions, including storing keys and cryptographic measurement.

The big change to Windows 8.1 is that, unlike in the past where the TPM has been optional for employee devices with InstantGo (Connected Standby), the upgraded TPM 2.0 will be mandatory for all InstantGo devices. InstantGo is a low-power feature found on many new devices that keeps the device on, even when the display is off (additional information can be found here). Ingalls said that the plan is to have TPM 2.0 be a requirement on all devices, not just InstantGo hardware, by January 2015.

"If the device supports InstantGo, device encryption can be automatically enabled. As InstantGo will be available on the vast majority of devices, this functionality will be pervasive throughout the enterprise," Ingalls said.

The TPM support in Windows 8.1 will enhance other hardware security aspects, too, Ingalls noted.

"And in Windows 8.1, we expand on the strategy behind TPM, with features such as key attestation, which allows you to ensure your private key is safely bound to hardware instead of malware, and virtual smartcard management WinRT APIs to enable Windows Store apps to set up and manage virtual smartcards," said Ingalls.

Windows 8.1 will facilitate swipe-based biometrics to physically secure devices. Microsoft will be extending the use of fingerprint-based passwords on all Windows 8.1 devices, and biometric-based logins will be used for whenever a user encounters a Windows credential prompt -- not just when initially logging in.

Microsoft's biometrics also will be extended to the Windows Runtime (WinRT) architecture, allowing developers to integrate it into custom Windows Store apps.

Next, Ingalls discussed how the management of virtual smart cards (VSC) will be receiving an overhaul. "In Windows 8.1 we have added support for enrollment and management via WinRT APIs so all of these scenarios can be supported through a modern app experience," said Ingalls. "With this, businesses will have more flexibility and control over how devices connect to internal networks and make it easier to securely allow access to personal devices in a BYOD environment."

Microsoft is also looking to make tweaks in the area of data protection with the introduction of Remote Data Removal, which will allow IT pros to remotely wipe corporate data, including e-mails, corporate work folders and other sensitive data, from an employee device, while leaving personal data intact. This will help to battle data loss associated with hardware theft.

While Windows 8.1 won't directly receive any security upgrades for malware protection, Ingalls did take time to reiterate that the OS refresh will benefit from Windows Defender's latest monitoring features and Internet Explorer 11's ability "to scan the input for a binary extension before it's passed onto the extension for execution." Both features were unveiled at this year's TechEd conference in June.